BIG-IP APM and F5 Access for ios Version 3.0.0

Transcription

1 BIG-IP APM and F5 Access for ios 2018 Version 3.0.0

2

3 Table of Contents Table of Contents Overview: F5 Access for ios...5 Introducing F5 Access Differences between F5 Access 2018 and F5 Access 2.1.x...5 F5 Access and mobile devices...7 About app notifications...8 About SAML support...8 About supported authentication types...8 About establishing VPN connections...9 About pre-logon checks supported for ios devices...9 About automatically launching applications from mobile devices...10 About network integration on ios devices...11 Setting up network access...11 Prerequisites for configuring F5 Access...12 Access Policy Manager configuration for F5 Access for ios devices...13 Running the Network Access Setup wizard...13 Customizing client proxy settings for macos...13 Customizing an access policy to support F5 Access on Access Policy Manager...14 Overview: Access Policies for F5 Access...15 About access policy branches for F5 Access...15 Example of basic access policy that supports F5 Access...15 Configuring Per-App VPN with APM and F5 Access...17 What is per-app VPN?...17 About deploying MDM apps over VPNs...17 Creating an access profile...18 About setting up Access Policy Manager for per-app VPN...20 Configuring a virtual server for per-app VPN...20 Managing Devices for F5 Access...23 About managing devices...23 Creating a custom device-wide VPN MDM profile...23 Creating a custom Per-App VPN MDM profile...23 Creating a configuration profile for the managed device...24 Additional Access Policy Manager Configuration Information...31 F5 Access for ios session variables

4 Table of Contents Access Policy Manager configuration tips...32 About starting the client from a URL scheme...33 Examples of starting a client from a URL...34 About defining a server from a URL...35 Examples of defining a server from a URL

5 Overview: F5 Access for ios Introducing F5 Access 2018 F5 Access for ios 2018 is a new client, built on the latest Apple VPN architecture. Apple's new Network Extension architecture allows for some features that were not previously included in our ios client, including the ability to use UDP apps with Per-App VPN. Apple has deprecated their previous VPN technology, which will not be supported in the future, so our previous clients based on older technology will eventually be deprecated as well. This is not a one-to-one upgrade from the previous version (F5 Access 2.x). A number of incompatibilities, possible incompatibilities, and configuration changes are outlined in this document that may affect your migration to F5 Access for ios MDM support for this new client is still in development. Please check with your MDM vendor for more information. There are access policy changes required to support this client. If you are planning to migrate users to the new client, please review all of the differences between the clients outlined in this document before you migrate your users. We expect to add features and to support to this client in the future, and eventually we expect the same level of support from MDM vendors with our existing client. Note: With this release, your MDM vendor may not include built-in support. We provide general guidance for your MDM configuration, if it supports custom configurations. Differences between F5 Access 2018 and F5 Access 2.1.x There are a number of differences between F5 Access 2018 and F5 Access 2.1.x. Configuration deployment changes When deploying configurations, there are several differences between F5 Access 2.1.x and F5 Access Table 1: Deployment differences VPN type Device-wide VPN Manually configured No user-side Client Certificate import User has to accept a permission dialog to add the first VPN configuration MDM configured The key VPNSubType has changed. In F5 Access 2.1.x: com.f5.f5-edge-client.vpnplugin In F5 Access 2018: com.f5.access.ios Per-App VPN No manual configuration The key VPNSubType has changed: In F5 Access 2.1.x: com.f5.f5-edge-client.vpnplugin In F5 Access 2018: com.f5.access.ios The key ProviderType must be set to packet-tunnel in F5 Access 2018.

6 Overview: F5 Access for ios VPN type Manually configured MDM configured The key PerAppVpn is no longer required in the VendorConfig dictionary in F5 Access Device UDID change Device UDID is no longer provided, due to ios changes. With an MDM, the device can be assigned an ID. This is assigned with the MdmDeviceUniqueId or UDID attribute. This assigned value populates the session variables session.client.mdm_device_unique_id and session.client.unique_id. If neither is provided this session variable is not present. If either field is provided by the MDM, both session variables are present. An example value is RC1KQLCJFOJEEM0XIOB3P52OMUQ3UN9Y3SDA5RWR. VPN establishment changes When establishing VPNs, there are several differences between F5 Access 2.1.x and F5 Access Table 2: VPN establishment changes VPN type Manual Device-wide VPN In F5 Access 2018, notifications must be enabled for any user prompts or Web Logon interactions. In F5 Access 2018, the user is able to save the password when connecting in native logon mode if the Save Password Method option in the Access Policy Manager Connectivity Profile is set to disk. On-demand In F5 Access 2018, notifications must be enabled for any user prompts or Web Logon interactions. With notifications enabled, these prompts and features are supported. Web Logon mode Authentication prompts in native mode Device authentication Per-App VPN No manual configuration A Per-App VPN connection cannot be established if user interaction is required. For F5 Access 2018, configure the access policy so user interaction is not required to establish the VPN connection. Access Policy Manager configuration changes When configuring Access Policy Manager, there are several differences between F5 Access 2.1.x and F5 Access Table 3: Enforcing logon mode APM configuration item Enforce Logon Mode Web Logon mode in F5 Acesss for ios app Change In the Connectivity Profile, the administrator can now enforce a specific logon mode, using the setting Enforce Logon Mode. The logon mode can be enforced as native or web. If Enforce Logon Mode is enabled in the Connectivity Profile, the user cannot change the Web Logon option. 6

7 BIG-IP APM and F5 Access for ios 2018 Table 4: APM Per-App VPN changes Per-App VPN configuration item Virtual Server Access policy ios device Change In the Virtual Server configuration, the option Application Tunnels (Java & Per-App VPN) is no longer required to be enabled With F5 Access 2018, Per-App VPN now uses an L3 tunnel. As such, the following items must be added to the applicable access policy branch: Network Access resource Webtop The ios device enforces the applications that are allowed to access the VPN, according to the Per-App VPN configuration. Apple App Transport Security (ATS) changes Apple Transport Security (ATS), implemented in F5 Access 2018, requires the following security changes for communications between F5 Access 2018 and the corresponding BIG-IP. Plain text HTTP connections are no longer allowed. HTTPS requires the strongest TLS configuration (TLS 1.2 and PFS cipher suites). Self-signed certificates are not supported unless the CA certificate is first Trusted on the device. Client Certificate authentication Client Certificate Authentication is not supported in Web Logon mode. F5 Access and mobile devices F5 Access for mobile devices provides full network access through BIG-IP Access Policy Manager. With network access, users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their mobile devices. For information about how to use F5 Access on your device, refer to the F5 Access for ios User Guide. F5 Access features include: N-factor authentication (at least two input fields, password and passcode) support User name and password, client certificate, and RSA SecurID support Multiple input field support Credential caching support Support for TouchID authentication, PIN, or a device password to make a connection, when using cached credentials Support for DNS address space for split-tunneling configurations Support for checking information from client devices Support for automatically launching applications on client devices Support for roaming between cellular and WiFi networks Landing URI support Logging support to report issues Support for private-side internal proxy servers. Public-side proxy servers are not currently supported. 7

8 Overview: F5 Access for ios Per-app VPN support for TCP and UDP applications Application notifications Diagnostics Traffic Graphs Support for SAML 2.0 features in BIG-IP Access Policy Manager ios widget support About app notifications F5 Access for ios 2018 requires that notifications be enabled for most user configurations. This requires that the app be started by the user and accept notifications. Important: The user is prompted to enable notifications only the first time the app is started. After the first app start, if the notifications dialog is dismissed, the user must manually enable notifications. If the user dismisses the notification dialog, the user can enable notifications manually. To enable notifications, in the Settings app, go to F5 Access > Notifications, and enable the Allow Notifications setting. Note: Notifications are not required to be enabled, only in a Per-App VPN scenario where no user intervention is required. About SAML support F5 Access for ios devices provides the following SAML support: Service provider-initiated access only, for example, APM acting as the service provider (SP) Web Logon mode only Single Log-Out (SLO): supported only when the logout action is initiated from the client When you use F5 Access as a client performing SP-initiated access, F5 Access first connects to BIG-IP Access Policy Manager (APM ). Because there is no assertion, APM redirects the client to the IdP. The IdP then authenticates the user and redirects F5 Access back to the SP with assertion. APM then accepts the assertion and establishes a VPN connection. You can then access back-end resources through >F5 Access. You can configure a BIG-IP system by configuring APM as an SP. The access policy that is associated with the configuration assigns a SAML AAA resource followed by a Network Access Resource. For more information about SAML configurations, refer to the BIG-IP Access Policy Manager : Authentication and Single Sign-On guide. About supported authentication types F5 Access for ios 2018 supports these authentication and connection type combinations. Tip: You can create a.mobileconfig file with Apple Configurator 2. Read Apple Configurator 2 documentation for more information. 8

9 BIG-IP APM and F5 Access for ios 2018 Authentication type Username and password Connection type Runtime prompts (login dialogs, device authentication, and other user input prompts) are allowed for: User-initiated connections, in native mode or Web Logon mode Device-wide VPN On-Demand connections, in native mode or Web Logon mode For a Per-App VPN connection, runtime prompts are not supported, so the username and password must be specified in device configuration specified by the MDM, or in the.mobileconfig file. Per-App VPN does not support Web Logon mode. Client certificate User-initiated connections, in native mode only Device-wide VPN On-Demand, in native mode only Per-App VPN connections Note: A client certificate can only be installed by an MDM, or with a.mobileconfig file. Client certificate + username and password Runtime prompts (login dialogs, device authentication, and other user input prompts) are allowed for: User-initiated connections, in native mode only. Device-wide VPN On-Demand connections, in native mode only. For a Per-App VPN connection, runtime prompts are not supported, so the username and password must be specified in the configuration. Per-App VPN does not support Web Logon mode. Note: A client certificate can only be installed by an MDM, or with a.mobileconfig file. About establishing VPN connections The F5 Access application (app) for mobile devices provides users with two options to establish a VPN tunnel connection. A user can start a tunnel connection explicitly with the F5 Access application, or implicitly through the VPN On-Demand functionality. For example, a connection can be configured to automatically trigger whenever a certain domain or host name pattern is matched. For Per-App VPN, the following on demand considerations apply. These do not apply to On-Demand device-wide VPN connections. When a Per-App VPN connection is initiated On-Demand, user intervention is not allowed. For example, if a password is needed for authentication, but is not supplied in the configuration, the connection fails. Note that RSA authentication is not supported. On-Demand Per-App VPN does not work with Web Logon. About pre-logon checks supported for ios devices Access Policy Manager can check unique identifying information from an ios client device. The supported session variables, which become populated with the ios client device information, are gathered automatically, 9

10 Overview: F5 Access for ios and can easily be combined with an LDAP or AD query to implement white-listing in a custom action to improve access context. This information allows Access Policy Manager to perform pre-logon sequence checks and actions based on information about the connecting device. Using such information, Access Policy Manager can perform the following tasks: Deny access if the ios version is less than the required level. Deny access if the app version is less than required. This example displays an access policy with a custom action to check the app version. Figure 1: Example of a custom action for checking the F5 Access app version About automatically launching applications from mobile devices You can configure F5 Access to launch an app with a registered URL scheme after a VPN connection is established. Auto-launching applications from F5 Access You can configure applications to automatically start on F5 Access once a connection is initiated. 1. On the Main tab, click Access > Connectivity / VPN > Network Access (VPN) > Network Access Lists. 2. Click the name of your network access resource on the list. 3. Click the Launch Applications tab. 4. Click Add. 5. In the Application Path field, type in your application path in the form of a URL scheme, for example, skype:// ?call. 6. Type any required parameters in the Parameters field. 7. From the Operating System list, select ios. 8. Click Finished. On the device, a warning is issued before the local application executes. 10

11 BIG-IP APM and F5 Access for ios 2018 About network integration on ios devices Access Policy Manager provides web application-level security to prevent malware attacks. As an administrator, you can enforce all web access through a secured gateway, as well as bypass secure gateways for internal resources. This is especially helpful, for example, when you have clients using corporate tablets, smartphones, or other mobile devices to browse the web. Setting up network access You can force traffic through a tunnel on F5 Access. Note: Although you disable Allow local subnet access while enabling Force all traffic through tunnel, the client still permits local subnet traffic to travel outside of the tunnel. This is a limitation of ios and not of F5 Access. 1. On the Main tab, click Access Policy > Network Access > Network Access List. The Network Access List screen opens. 2. Click the name to select a network access resource on the Resource List. The Network Access editing screen opens. 3. To configure the network settings for the network access resource, click Network Settings on the menu bar. 4. To optionally force all traffic through the tunnel, next to Traffic Options, enable Force all traffic through tunnel. If you enable Use split tunneling for traffic, you must also specify either a DNS suffix or DNS Address Space pattern to use the VPN DNS servers. If the "DNS Suffix" and "DNS Address Space" fields are both left blank, then F5 Access does not use the VPN DNS servers and sends all DNS traffic to public DNS servers. 5. To allow local subnet traffic to bypass the tunnel, select the Enable check box for Allow Local Subnet. This traffic bypasses the tunnel. 6. Click Update. 11

12 Overview: F5 Access for ios Prerequisites for configuring F5 Access Before configuring F5 Access for ios devices, you must complete the following requirements: Set up BIG-IP Access Policy Manager. Run the Network Access Setup Wizard. Additional information about network access and connectivity profiles can be found in the BIG-IP Access Policy Manager : Network Access Configuration guide. 12

13 Access Policy Manager configuration for F5 Access for ios devices To configure F5 Access for mobile devices support on BIG-IP Access Policy Manager, use the following configuration steps: Run the Network Access Setup Wizard. Optionally, set up SSO and ACLs for your network access. Refer to the BIG-IP Access Policy Manager Configuration Guide on the AskF5 Knowledge Base for instructions. Customize an access policy to support F5 Access. Running the Network Access Setup wizard Configure Access Policy Manager to provide users with full network access from their mobile devices using the Network Access Setup wizard for remote access. 1. On the Main tab, click Wizards > Device Wizards. The Device Wizards screen opens. 2. For Access Policy Manager Configuration, select Network Access Setup Wizard for Remote Access, and then click Next. 3. In the Basic Properties area of the wizard, clear the Enable Antivirus Check in Access Policy check box for Client Side Checks to ensure that your users can connect with F5 Access. 4. Click Finished. You now have network access resource that supports F5 Access for mobile devices. Customizing client proxy settings for macos Configure Network Access to provide further fucntionality for F5 Access connections. 1. On the Main tab, click Access > Connectivity / VPN > Network Access (VPN). The Network Access List screen opens. 2. Select a Network Access resource to edit. 3. Select Client Proxy Settings. 4. If you want to use an optional client proxy autoconfig (PAC) script, in the Client Proxy Autoconfig Script field type the URL for a proxy auto config script. 5. If you want to use an optional client proxy address, in the Client Proxy Address field, type the IP address for the client proxy server that network access clients use to connect to the Internet. 6. If you want to use an optional client proxy port, in the Client Proxy Port Type type the port number on the proxy server that you want network access clients to use to connect to the Internet. 7. If you want to bypass some addresses with the client proxy, in the Client Proxy Exclusion List field specify the Web addresses that do not need to be accessed through the proxy server. You can use wild cards to match domain and host names or addresses. For example, *, /, 8., mygroup.*, and *.*.

14 Access Policy Manager configuration for F5 Access for ios devices Customizing an access policy to support F5 Access on Access Policy Manager Create an access policy that supports F5 Access for ios. 1. On the Main tab, click Access > Profiles / Policies. The Access Profiles (Per-Session Policies) screen opens. 2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen. 3. Click the plus (+) sign that appears before the Logon Page action. 4. Under Server Side Checks, select Client Type, and click Add Item. 5. Click Save. The Client Type action is added to the access policy, and several new branches appear. 6. On the Edge Client branch of the Client Type action, click the plus (+) sign. 7. Under Server Side Checks, select Client OS, and click Add Item. 8. Configure the ios Branch Rule with the configuration objects and resources you want to assign to ios F5 Access. 9. Click Finished, and then click Save. 10. Add the network access resource to the branch. 11. Click Save. This access policy now supports F5 Access for ios. 14

15 Overview: Access Policies for F5 Access About access policy branches for F5 Access You can configure separate access policy branches for F5 Access. F5 Access does not support client-side checks; however, you can configure an access policy that provides network access for ios clients by using any of these methods: Create an access policy using Client-Side Capability. This provides a branch for clients that do not support client-side checks. Assign authentication and a network access resource to this branch. Use an existing access policy with client-side checks. The ios client will fail to the fallback branch of the first client-side check. Assign authentication and a network access resource to this branch. Add a Client OS Access Policy item, and assign authentication and resources to the ios branch. F5 Access for ios is detected with the following access policy items: Access policy item Client Type Client OS Value Edge Client ios Example of basic access policy that supports F5 Access You can configure an access policy branch to direct ios device users to F5 Access, and direct non-f5 Access device users to a fallback branch. This example displays a simple access policy.

16 Overview: Access Policies for F5 Access 16

17 Configuring Per-App VPN with APM and F5 Access What is per-app VPN? Apple's Network Extension framework supports layer-3 tunneling for both device-wide and Per-App VPN tunnels. This means that TCP and UDP protocols are supported for apps configured for Per-App VPN on F5 Access for ios Apps that are managed by a Mobile Device Manager (MDM) can be configured to automatically connect to a VPN when they are started. In addition, Mobile Safari can be managed for per-app VPN with a configuration profile and without an MDM. Per-app VPN gives IT granular control over corporate network access, and ensures that data transmitted by managed apps travels only through a VPN. Meanwhile, other data, like an employee's personal web browsing activity, does not use the VPN. Per-app VPN also works with Safari on a per-url basis. A per-app VPN configuration requires three configuration components. A device under MDM management, or a configuration profile file installed manually. For more information, see Configuration Profile Reference. A managed app installed on the device, or Mobile Safari. F5 Access for ios installed on the managed device. Important: The managed app and the MDM profile must be deployed with an MDM solution, except in the case of Mobile Safari. The F5 Access configurations may or may not be deployed with an MDM solution. Any app other than Mobile Safari must be installed by the MDM solution, and associated with a VPN configuration. About deploying MDM apps over VPNs The per-app VPN framework allows the administrator to limit VPN access to explicit apps only. Specifically, it allows applications to use one F5 Access configuration (or VPN connection). In practice, some applications may be associated with one F5 Access configuration, and other applications may be associated with other F5 Access configurations. Important: Once an app is associated with an F5 Access configuration by the MDM, it will use that VPN only. In this example, App 1 or App 2 can be active at the same time, because they use different VPN configurations.

18 Configuring Per-App VPN with APM and F5 Access Figure 2: Apps associated with different VPN configurations Note: On ios, you can only activate only one device-wide (user-initiated) VPN configuration at a time. However, multiple per-app VPNs can be active and connected simultaneously, on their own or in addition to the device VPN. Creating an access profile You create an access profile to provide the secured connection between the per-app VPN and the virtual server. 1. On the Main tab, click Access > Profiles / Policies. The Access Profiles (Per-Session Policies) screen opens. 2. Click Create. The New Profile screen opens. 3. In the Name field, type a name for the access profile. 4. From the Profile Type list, select SSL-VPN. 5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language. 6. Click Finished. The access profile appears in the Access Profiles List. Adding a version check to the access policy A version check allows you to distinguish between F5 Access for ios and earlier versions. You can use this information to assign the required full network access resource to the branch, for example, in a Per-App VPN scenario. 1. On the Main tab, click Access > Profiles / Policies. The Access Profiles (Per-Session Policies) screen opens. 2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen. 3. Click the (+) sign anywhere in the access policy to add a new action item. 18

19 BIG-IP APM and F5 Access for ios 2018 An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on. 4. Click Add Item. The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays. 5. Click the Endpoint Security (Server-Side) tab. 6. Select the Client Type item, and click Add Item. 7. Click Save. 8. On the Edge Client branch, click the (+) sign to add a new action item. 9. Click the Endpoint Security (Server-Side) tab. 10. Select the Client OS item, and click Add Item. 11. Click Save. 12. On the ios branch, click the (+) sign to add a new action item. 13. Click the General Purpose tab. 14. Select the Empty item, and click Add Item. 15. On the Properties screen in the Name field, type ios Version. 16. Click the Branch Rules tab. 17. Click Add Branch Rule. 18. In the Name field, type Version Click the change link in the Expression area. A popup screen opens. 20. Click the Advanced tab. Use this tab to enter Tcl expressions. A text input field displays. 21. In the text field, type expr { [mcget {session.client.app_version}] == }, and click Finished. 22. Click Save. 23. Add a Network Access resource to the Version 3 branch. On the Version 3 branch, click the (+) sign to add a new action item. 24. Click the Assignment tab. 25. Select the Advanced Resource Assign item, and click Add Item. 26. Under Resource Assignment, click Add new entry. 27. Under Expression, click Add/Delete. 28. Click the Network Access tab, and select a Network Access resource to assign. 29. Click the Webtop tab, and select a webtop to assign. 30. Click Update. 31. Click Save. 32. On the fallback branch following the Advanced Resource Assign item, click the Deny ending. 33. Change the Deny ending to Allow, and click Save. 34. If you support F5 Access version 2.x clients, on the fallback branch, click the Deny ending. 35. Change the Deny ending to Allow, and click Save. 36. Click Apply Access Policy to save your configuration. The access profile appears in the Access Profiles List. Configure the virtual server to include this access policy, and make sure the Client SSL profile is enabled on the server. 19

20 Configuring Per-App VPN with APM and F5 Access Adding a client certificate check to the access policy A client certificate check allows you to authenticate the device to the access policy, without requiring any user interaction that would cause the creation of the per-app VPN tunnel to fail. 1. On the Main tab, click Access > Profiles / Policies. 2. In the Access Policy column, click the Edit link for the access profile you want to configure to launch the visual policy editor. The visual policy editor opens the access policy in a separate screen. 3. Click the (+) sign anywhere in the access policy to add a new action item. An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on. 4. Click Add Item. The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays. 5. Click the Authentication tab. 6. Select the Client Cert Inspection item, and click Add Item. 7. The properties screen opens. Click Save. 8. On the Successful branch following the Client Cert Inspection item, click the Deny ending. 9. Change the Deny ending to Allow, and click Save. 10. Click Apply Access Policy to save your configuration. The access profile appears in the Access Profiles List. Configure the virtual server to include this access policy, and make sure the Client SSL profile is enabled on the server. About setting up Access Policy Manager for per-app VPN You configure specific settings in the Access Policy Manager to provide per-app VPN tunnels. Per-app VPN tunnels are full network access tunnels, and require Network Access resources in the Access Policy. Configure these items on the Access Policy Manager. The virtual server must be configured with an access profile. The virtual server should be configured with a basic configuration for the network access resource. You must specify the Client SSL profile on the virtual server. You must also include the same CA bundle on the server that is used to generate the certificate for the client devices. Note: Access policies for F5 Access version 2.1.x have different requirements. If you are planning to have both clients connect to the same virtual server, refer to your F5 Acccess documentation for more information. Configuring a virtual server for per-app VPN You must have Access Policy Manager licensed and provisioned. A virtual server profile enables support for the network access used by per-app VPN tunnels. 1. On the Main tab, click Local Traffic > Virtual Servers. 20

21 BIG-IP APM and F5 Access for ios 2018 The Virtual Server List screen opens. 2. Click the name of the virtual server you want to modify. 3. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list. 4. In the Access Policy area, from the Access Profile list, select the access profile. 5. From the Connectivity Profile list, select the connectivity profile. 6. Click Update to save the changes. The virtual server is configured for per-app VPN. 21

22

23 Managing Devices for F5 Access About managing devices With an MDM, you manage devices by enrolling them. Refer to your MDM documentation to enroll devices. With this release, your MDM vendor may not include built-in support. We provide general guidance for your MDM configuration, if it supports custom configurations. Important: A user must enroll the device with the MDM in order for you to manage the device. However, you can deploy VPN configurations to the devices that aren't under management. F5 Access must be installed on the device to deploy configurations. F5 Access can be installed either by the user, or deployed with the MDM solution. Creating a custom device-wide VPN MDM profile Your MDM may not currently support F5 Access for ios The VPN MDM profile for previous versions of F5 Access is not compatibile with F5 Access for ios If your MDM allows you to create custom configuration profiles, use these generic settings to configure the profile. Important: Consult with your MDM vendor to determine support. Refer to your MDM documentation before making changes. 1. Add a VPN profile. 2. For the Connection Type, specify Custom. 3. For the Identifier, specify com.f5.access.ios. 4. Complete the rest of the configuration as required. Creating a custom Per-App VPN MDM profile Your MDM may not currently support F5 Access for ios The VPN MDM profile for previous versions of F5 Access is not compatibile with F5 Access for ios If your MDM allows you to create custom configuration profiles, use these generic settings to configure the profile. Important: Consult with your MDM vendor to determine support. Refer to your MDM documentation before making changes. 1. Add a VPN profile. 2. For the Connection Type, specify Custom. 3. For the Identifier, specify com.f5.access.ios. 4. For the Provider Type, specify Packet Tunnel. 5. Complete the rest of the configuration as required.

24 Managing Devices for F5 Access Creating a configuration profile for the managed device Before you assign a configuration profile to a device, that device must be enrolled with your MDM. Additionally, F5 Access must be installed on the device. A configuration profile enables the per-app VPN feature on a managed device, and specifies which apps use the VPN. Create a configuration profile for the device. Configuration profiles are described at the Apple Configuration Profile Reference. Configure Access Policy Manager to provide the necessary support for per-app VPN features. Device identification configuration profile settings These are settings for identifying devices in an MDM profile. Device identification settings Hardware manufacturers have phased out support for many methods of device identification, including UDID, wireless MAC, and others. To identify devices, you can use the device IDs assigned by the MDM. Table 5: Device identification commands Key MdmAssignedId MdmInstanceId MdmDeviceUniqueId MdmDeviceWifiMacAddress MdmDeviceSerialNumber Type String String String String String Description The internal device ID assigned to the device by the MDM. An arbitrary string that identifies particular MDM instance. An assigned ID for the device. The wireless MAC address of the device. An assigned serial number for the device. Device ID example for ios In this example, the commands are deployed in the VendorConfig document. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " <plist version="1.0"> <dict>... <key>vendorconfig</key> <dict> <key>mdmassignedid</key> <string>mdm assigned ID here</string> <key>mdminstanceid</key> <string>some MDM instance ID here</string> <key>mdmdeviceuniqueid</key> <string>device ios UDID here</string> 24

25 BIG-IP APM and F5 Access for ios <key>mdmdevicewifimacaddress</key> <string>device wifi mac address here</string> <key>mdmdeviceserialnumber</key> <string>device serial number here</string> </dict> Web Logon setting This setting configures Web Logon mode in an MDM profile. Web Logon configuration In the MDM configuration profile, you can use the command WebLogon to specify whether Web Logon is enabled. Use the syntax <key>weblogon</key><string>true false</string>. If you configure Enforce Logon Mode in the Connectivity Profile on Access Policy Manager, that setting overrides the Web Logon setting configured in the MDM profile, or in a manual configuration. Note: Web Logon is not supported with Per-App VPN. Device-wide VPN configuration profile settings Settings for the device-wide VPN profiles in an MDM configuration. Device-wide VPN settings Configure a device-wide VPN by specifyng the VPN payload. For the PayloadType value, specify com.apple.vpn.managed. F5 Access 3.0 VPN configurations must define the following keys: Table 6: System-Wide VPN specific keys Key PayloadType VPNType VPNSubType VPNUUID OnDemandEnabled OnDemandRules Type String String String String Int Array of Dictionaries Description com.apple.vpn.managed VPN com.f5.access.ios A globally-unique identifier for this VPN configuration. This identifier is used to configure apps so that they use the Per-App VPN service for all of their network communication. 1 if the VPN connection should be brought up on demand, or else 0. Determines when and how an on-demand VPN should be used. See On Demand Rules Dictionary Keys for details. Example device-wide VPN configuration profile Includes a sample configuration profile for the device-wide VPN configuration profile. 25

26 Managing Devices for F5 Access Device-wide VPN configuration example profile The following example uses sample data only. For your own configuration, items like the PayloadDisplayName, PayloadUUID, UserDefinedName, and the user name, password and certificate information must be customized to your network and installation. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " <plist version="1.0"> <dict> <key>payloadcontent</key> <array> <dict> <key>ipv4</key> <dict> <key>overrideprimary</key> <integer>0</integer> </dict> <key>payloaddescription</key> <string>configures VPN settings</string> <key>payloaddisplayname</key> <string>vpn</string> <key>payloadidentifier</key> <string>com.apple.vpn.managed.e3c ac bd f2ada1ee</string> <!-- F5 COMMENT: PayloadType key: for System-Wide VPN the value is "com.apple.vpn.managed" --> <key>payloadtype</key> <string>com.apple.vpn.managed</string> <key>payloaduuid</key> <string>e3c ac bd f2ada1ee</string> <key>payloadversion</key> <integer>1</integer> <key>proxies</key> <dict> <key>httpenable</key> <integer>0</integer> <key>httpsenable</key> <integer>0</integer> </dict> <key>userdefinedname</key> <string>vpn Config</string> <key>vpn</key> <dict> <key>authname</key> <string>username</string> <key>authpassword</key> <string>password</string> <key>authenticationmethod</key> <string>password</string> <key>remoteaddress</key> <string> </dict> <!-- F5 COMMENT: VPNSubType key: For F5 Access the value should be "com.f5.access.ios" --> <key>vpnsubtype</key> <string>com.f5.access.ios</string> <!-- F5 COMMENT: VPNType key: Specifies VPN type, for F5 Access VPN should be "VPN" --> <key>vpntype</key> <string>vpn</string> <key>vendorconfig</key> <dict/> </dict> </array> <key>payloaddisplayname</key> <string>systemwidevpndemo</string> 26

27 BIG-IP APM and F5 Access for ios 2018 <key>payloadidentifier</key> <string>xyz-ml dbcd844f-1b48-55af-a262-82b d</string> <key>payloadremovaldisallowed</key> <false/> <key>payloadtype</key> <string>configuration</string> <key>payloaduuid</key> <string>842bf e86-a73f-8c44e1e36d72</string> <key>payloadversion</key> <integer>1</integer> </dict> </plist> Per-App VPN configuration profile settings Settings for the per-app VPN profile in an MDM. Per-App VPN settings The per-app VPN payload supports all of the keys described in the Apple Configuration Profile Reference. These keys, specific to the per-app VPN payload, are described in that reference as well. Table 7: Per-App VPN keys Key PayloadType VPNType ProviderType VPNSubType VPNUUID OnDemandMatchAppEnabled (optional) SafariDomains (optional) Type String String String String String Boolean Array Description com.apple.vpn.managed.applayer VPN packet-tunnel com.f5.access.ios A globally-unique identifier for this VPN configuration. This identifier is used to configure apps so that they use the per-app VPN service for all of their network communication. If true, the per-app VPN connection starts automatically when apps linked to this per-app VPN service initiate network communication. If false, the per-app VPN connection will not start. If this key is not present, the value of the OnDemandEnabled key is used to determine the status of per-app VPN On Demand. This key is a special case of App-to-Per App VPN Mapping. It sets up the app mapping for Safari with a specific identifier and a designated requirement. The array contains strings, each of which is a domain that triggers a VPN connection in Safari. Do not specify a full URI; rule matching works only with the domain name. The rule matching behavior is as follows: Before being matched against a host, all leading and trailing dots are stripped from the domain 27

28 Managing Devices for F5 Access Key Type Description string. For example, if the domain string is.com the domain string used to match is com. Each label in the domain string must match an entire label in the host string. For example, a domain of example.com matches " but not old.badexample.com. Domain strings with only one label must match the entire host string. For example, a domain of com matches com, not Example per-app VPN configuration profile Includes a sample configuration profile for the per-app VPN configuration profile. Per-App VPN configuration example profile The following example uses sample data only. For your own configuration, items like the PayloadDisplayName, PayloadUUID, UserDefinedName, and the user name, password and certificate information must be customized to your network and installation. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " <plist version="1.0"> <dict> <key>payloadcontent</key> <array> <dict> <key>ipv4</key> <dict> <key>overrideprimary</key> <integer>0</integer> </dict> <key>payloaddescription</key> <string>configures VPN settings</string> <key>payloaddisplayname</key> <string>vpn</string> <key>payloadidentifier</key> <string>com.apple.vpn.managed.cf2c73e8-b7ad-442f-bf cc</string> <!-- F5 COMMENT: PayloadType key: for Per-App VPN the value is "com.apple.vpn.managed.applayer" --> <key>payloadtype</key> <string>com.apple.vpn.managed.applayer</string> <key>payloaduuid</key> <string>cf2c73e8-b7ad-442f-bf cc</string> <key>payloadversion</key> <integer>1</integer> <key>proxies</key> <dict> <key>httpenable</key> <integer>0</integer> <key>httpsenable</key> <integer>0</integer> </dict> <key>userdefinedname</key> <string>per-app VPN Demo</string> <key>vpn</key> <dict> <key>authname</key> <string>username</string> 28

29 BIG-IP APM and F5 Access for ios 2018 <key>authpassword</key> <string>password</string> <key>authenticationmethod</key> <string>password</string> <!-- F5 COMMENT: ProviderType key: F5 Access 2018 supports only "packet-tunnel" value for this key --> <key>providertype</key> <string>packet-tunnel</string> <key>ondemandmatchappenabled</key> <true/> <key>remoteaddress</key> <string> </dict> <!-- F5 COMMENT: VPNUUID key: A globally-unique identitifer for the VPN configuration. This identifier is used to configure apps so that they use the Per-App VPN service for all of their network communication --> <key>vpnuuid</key> <string> c3-470d-afaa-5a9e4d519da1</string> <!-- F5 COMMENT: VPNSubType key: For F5 Access the value is "com.f5.access.ios" --> <key>vpnsubtype</key> <string>com.f5.access.ios</string> <!-- F5 COMMENT: VPNType key: Specifies VPN type, for F5 Access VPN is "VPN" --> <key>vpntype</key> <string>vpn</string> <key>vendorconfig</key> <dict/> <key>safaridomains</key> <array> <string>test.siterequest.com</string> </array> </dict> </array> <key>payloaddisplayname</key> <string>perappvpndemo</string> <key>payloadidentifier</key> <string>xyz-ml c4b7f07b-9c1c-f3f2-bb80-a30390ad085f</string> <key>payloadremovaldisallowed</key> <false/> <key>payloadtype</key> <string>configuration</string> <key>payloaduuid</key> <string>bd56e80e-bfce-4fd6-aedb c6ade8</string> <key>payloadversion</key> <integer>1</integer> </dict> </plist> 29

30

31 Additional Access Policy Manager Configuration Information F5 Access for ios session variables The following table contains a list of session variables and their attributes. Session variable session.client.type session.client.platform session.client.app_id session.client.app_version session.user.agent session.client.model session.client.platform_version session.client.jailbreak session.client.biometric_fingerprint session.client.vpn_scope session.client.vpn_tunnel_type session.client.vpn_start_type session.client.version Description Indicates the client type, for example Standalone. Indicates the platform type, such as ios. The app ID for the client. For F5 Access for ios this is com.f5.edge-client. The app version for the client. For F5 Access 2018 this is Indicates the browser, device type, and operating system version of the client, as well as the version of F5 Access. Indicates the model name of the mobile device. For example, iphone Indicates the platform and version of the mobile device. For example, 11.1 Indicates the jailbreak status of the device. 0 indicates the device is not jailbroken, 1 indicates the device is jailbroken, and an empty response indicates that the status of the device is unknown. Indicates whether the device supports biometric fingerprint authentication. 1 indicates that a fingerprint is configured, 0 indicates that a fingerprint is not configured, or the device does not support fingerprint authentication. Indicates the scope of the VPN tunnel. The result is device for a device-wide VPN connection, and per-app for a per-app VPN. Indicates the type of VPN tunnel. For F5 Access for ios, this is L3. Indicates how the VPN connection was initiated. manual - Indicates that the connection was initiated by the user. on-demand - Indicates that connection is either a device-wide VPN triggered On-Demand or a Per-app VPN connection. Indicates the client protocol version. For ios, the value is always 2.0.

32 Additional Access Policy Manager Configuration Information Session variable session.client.device_passcode_set session.client.browscap_info session.client.hostname session.client.js session.client.mdm_device_unique_id, session.client.unique_id session.client.mdm_assigned_id session.client.mdm_instance_id Description Indicates whether the user has a device unlock passcode, PIN, or biometric authentication configured. The results is 1 if a device lock is configured, and 0 if it is not. Specifies the browser information presented. For example, uimode=7&ctype=standalone &cversion=2.0&cjs=0&cactivex=0 &cplugin=0&cplatform=ios&cpu=arm This is the device host name (for example, SandysiPhone). Indicates whether the device used Web Logon mode to log on. The result is 1 if Web Logon Mode was used, and 0 if it was not. This value is provided by an MDM with the MdmDeviceUniqueId or UDID attribute. If both attributes are provided, MdmDeviceUniqueId takes preference. If neither is provided this session variable is not present. If this field is provided by the MDM, both session variables are present. An example value is RC1KQLCJFOJEEM0XIOB3P52OMUQ3UN9Y3SDA5RWR. This value is provided by the MDM in the MdmAssignedId attribute. If this attribute is not provided, the session variable is not present. The value is provided by the MDM in the MdmInstanceId attribute. If this attribute is not provided, the session variable is not present. session.client.mdm_device_wifi_mac_address The value is provided by the MDM in the MdmDeviceWifiMacAddress or WiFiMAC attribute. If both attributes are provided, MdmDeviceWifiMacAddress takes preference. If neither attribute is provided, the session variable is not present. session.client.mdm_device_serial_number The value is provided by the MDM in the MdmDeviceSerialNumber or SerialNumber attribute.if both attributes are provided, MdmDeviceSerialNumber takes preference. If neither attribute is provided, the session variable is not present. Access Policy Manager configuration tips The following table provides tips for setting up F5 Access for devices. Feature Client endpoint checks Require Device Authentication Information Client end-point checks are not currently supported. For devices with ios 9 or later, F5 Access can require device authentication with one of the device locking methods, including biometric authentication (Touch ID), a PIN, or a passphrase. To enable device authentication for F5 Access, in the Connectivity Profile under ios Edge Client, enable the options Allow Password Caching and Require Device Authentication. 32

33 BIG-IP APM and F5 Access for ios 2018 Feature Information Password caching policy In the Connectivity profile, you can configure password caching by enabling the setting Allow Password Caching. When this setting is enabled, after a successful logon the submitted credentials are cached. Specify a Save Password Method. If you select disk, an encrypted password is cached on the device with no expiration time. If you select memory, an encrypted password is cached on the device for the time specified in the Password Cache Expiration (minutes) field. Credentials are not cleared if the user disconnects or restarts the device. If credentials are cached and the Save Password Method is memory, then credentials are cached until one of the following events occurs: The specified credential cache duration expires. The server address of the configuration within the application changes. The username of the configuration within the application changes. The F5Access user switches between configurations. To require the user to authenticate on the device before unlocking the cached credentials, select Require Device Authentication. Enforce Logon Mode Client certificates On-Demand Cert Auth You can enforce the logon mode for the ios client. In the Connectivity Profile, select ios Edge Client, and click Enforce Logon Mode. Select Native or Web and click OK. The logon mode will be enforced for all clients that use the connectivity profile. Client certificate authentication is supported, either with a certificate alone or with a certificate secured with a user name and password. However, client certificates can be installed only by an MDM with a profile, or with a.mobileconfig file. If used, the On-Demand Cert Auth action must be placed after other authentication actions in the access policy. About starting the client from a URL scheme You can start F5 Access connections for users from a URL. You can then provide these URLs to users, so they can start the VPN connection without having to manually start the application. If there is already an active connection, a prompt appears to warn the user that the existing connection must be stopped before the new connection can start. The connection uses a client certificate if it is specified in the existing configuration. URL connections use the following parameters. This is an example, you must provide your own parameters and values. f5access://{start stop}?[parameter1=value1&parameter2=value2...] Note: Special characters in parameters must be URL-encoded. The syntax to start a connection from a URL follows. 33